The Security expert Bernardo Rodrigues (@bernardomr) has discovered the presence of a “backdoor-within-a-backdoor” in roughly 600,000 Arris cable modems.
Rodrigues is a vulnerability tester at Brazil’s Globo television network, he reported the undocumented library in three Arris cable modems, the company promptly replied that it is working to fix the issue.
Locate the Arris cable modems is quite easy with Shodan, in this way the expert exposed more that 600,000 affected devices.
In 2009 was reported for the first time a backdoor in the Arris cable modems, which were accessible using an admin password based on a known seed. Rodrigues has made a singular discovery, a backdoor affecting the hidden administrative shell that is implemented in the Arris cable modems.
“The default password for the SSH user ‘root’ is ‘arris’. When you access the telnet session or authenticate over SSH, the system spawns the ‘mini_cli’ shell asking for the backdoor password,” Rodrigues wrote in a blog post. “When you log using the password of the day, you are redirected to a restricted technician shell (‘/usr/sbin/cli’)”
The expert discovered that this nested backdoor uses a password based on the last five digits of the serial number of the device.
“They put a backdoor in the backdoor [which gives] a full busybox shell when you log on the Telnet/SSH session using these (serial number -based) passwords.”
A representative from the company ranked the risk as low and confirmed that the company is not aware of attacks in the wide.
“The risk related to this vulnerability is low, and we are unaware of any exploit related to it,” a spokeswoman says. “However, we take these issues very seriously and review them with the highest priority. Our team has been working around the clock on modem updates that address this reported vulnerability.”
Rodrigues also developed a keygen that can be used to calculate the password for the nested backdoor, a Metasploit module was already written to automate the exploitation of that flaw.
Rodrigues reported the flaws to CERT/CC which is already working with the vendor to solve the problem.
Below a video PoC of the nested backdoor in the Arris cable modems.
(Security Affairs – Arris cable modems, hacking)